Re: Static NAT breaks communications with internal IP address

Timothy Patrick · ‎02-25-2018

I am attempting to create a static NAT for forwarding SSH traffic from an external ip to an internal ip. I have created the static NAT using the following statement

ip nat source static tcp 192.168.0.15 22 x.x.x.x 8022 vrf vrfname.

The entry is put into the translation table and i am able to access the port externally. Once the static nat is configured i lose connectivity to the internal ip address 192.168.0.15. Is there away to still be able to perform the NAT and maintain access to the internal IP?

Thank you for any suggestions.

Seb Rupik · ‎02-26-2018

Hi there,

Have you tried adding the inside keyword to the NAT statement for inside address translation:

!
ip nat inside source static tcp 192.168.0.15 22 x.x.x.x 8022 vrf vrfname
!

cheers,

Seb.

Timothy Patrick · ‎02-26-2018

If I add inside to the statement, the NAT shows up in the global translation table and not under the NVI. It also does not let me get to the outside port. It shows up as filtered but there are no acl's on the interface preventing access to the port

Deepak Kumar · ‎02-26-2018

Hi,

What is current configuration?

is there NAT configured?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Timothy Patrick · ‎02-26-2018

NAT is enabled and working for outbound internet access.

interface GigabitEthernet0/0
description -> Outside
bandwidth 1000000
ip address x.x.x.x x.x.x.x
no ip proxy-arp
ip nat enable
duplex auto
speed auto

interface Port-channel1.1100
description -> 192.168.0.0_24
encapsulation dot1Q 1100
vrf forwarding LAB
ip address 192.168.0.1 255.255.255.0
ip helper-address 192.168.0.11
ip nat enable

ip nat pool NAT_POOL x.x.x.x x.x.x.x prefix-length 30
ip nat source list ACL_NAT pool NAT_POOL vrf LGCY overload
ip nat source list ACL_NAT pool NAT_POOL vrf LAB overload

ip nat source static tcp 192.168.0.15 22 x.x.x.x 8022 extendable

ip access-list extended ACL_NAT
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any

show ip nat nvi translations vrf LAB
tcp x.x.x.x:8022 192.168.0.15:22 --- ---

Deepak Kumar · ‎02-26-2018

hi,

please make it correct:

ip nat inside source static tcp 192.168.0.15 22 x.x.x.x 8022 vrf <name if any>

regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Timothy Patrick · ‎02-26-2018

If I add inside to the statement, the NAT shows up in the global translation table and not under the NVI. It also does not let me get to the outside port. It shows up as filtered but there are no acl's on the interface preventing access to the port

Timothy Patrick · ‎02-26-2018

So if i have tried with both NAT statements

ip nat source static tcp 192.168.0.15 22 x.x.x.x 8022 vrf LAB extendable

- This allows me to get to the ip externally on port 8022 and successfully NAT's to the internal address on port 22 but i lose connectivity to port 22 on the internal ip address

The Below statement does not allow me to get to the external ip address or the internal on port 22 and the port shows filtered using NMAP
ip nat inside source static tcp 192.168.0.15 22 x.x.x.x 8022 vrf LAB extendable

Deepak Kumar · ‎02-26-2018

Hi

Sorry that this solution is not working. If your DNAT command is working fine then you have to look into the SNAT configuration.

Is it possible to provide SNAT debug output?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!